libsql: add sync metadata hash verification

LucioFranco · LucioFranco · commit de24d8211e4d · 2024-11-20T12:51:43.000-05:00
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/libsql/Cargo.toml b/libsql/Cargo.toml
@@ -43,6 +43,8 @@ fallible-iterator = { version = "0.3", optional = true }
 libsql_replication = { version = "0.6", path = "../libsql-replication", optional = true }
 async-stream = { version = "0.3.5", optional = true }
 
+crc32fast = { version = "1", optional = true }
+
 [dev-dependencies]
 criterion = { version = "0.5", features = ["html_reports", "async", "async_futures", "async_tokio"] }
 pprof = { version = "0.12.1", features = ["criterion", "flamegraph"] }
@@ -105,6 +107,7 @@ sync = [
   "dep:tokio",
   "dep:futures",
   "dep:serde_json",
+  "dep:crc32fast",
 ]
 hrana = [
   "parser",
diff --git a/libsql/src/local/database.rs b/libsql/src/local/database.rs
@@ -423,6 +423,8 @@ impl Database {
             frame_no += 1;
         }
 
+        // TODO(lucio): this can underflow if the server previously returned a higher max_frame_no
+        // than what we have stored here.
         let frame_count = end_frame_no - start_frame_no + 1;
         Ok(crate::database::Replicated {
             frame_no: None,
diff --git a/libsql/src/sync.rs b/libsql/src/sync.rs
@@ -129,12 +129,16 @@ impl SyncContext {
     async fn write_metadata(&mut self) -> Result<()> {
         let path = format!("{}-info", self.db_path);
 
-        let contents = serde_json::to_vec(&MetadataJson {
+        let mut metadata = MetadataJson {
+            hash: 0,
             version: METADATA_VERSION,
             durable_frame_num: self.durable_frame_num,
             generation: self.generation,
-        })
-        .unwrap();
+        };
+
+        metadata.set_hash();
+
+        let contents = serde_json::to_vec(&metadata).unwrap();
 
         atomic_write(path, &contents[..]).await.unwrap();
 
@@ -153,6 +157,9 @@ impl SyncContext {
 
         let metadata = serde_json::from_slice::<MetadataJson>(&contents[..]).unwrap();
 
+        metadata.verify_hash()?;
+
+        // TODO(lucio): convert this into a proper error
         assert_eq!(
             metadata.version, METADATA_VERSION,
             "Reading metadata from a different version than expected"
@@ -167,11 +174,44 @@ impl SyncContext {
 
 #[derive(serde::Serialize, serde::Deserialize)]
 struct MetadataJson {
+    hash: u32,
     version: u32,
     durable_frame_num: u32,
     generation: u32,
 }
 
+impl MetadataJson {
+    fn calculate_hash(&self) -> u32 {
+        let mut hasher = crc32fast::Hasher::new();
+
+        // Hash each field in a consistent order
+        hasher.update(&self.version.to_le_bytes());
+        hasher.update(&self.durable_frame_num.to_le_bytes());
+        hasher.update(&self.generation.to_le_bytes());
+
+        hasher.finalize()
+    }
+
+    fn set_hash(&mut self) {
+        self.hash = self.calculate_hash();
+    }
+
+    fn verify_hash(&self) -> Result<()> {
+        let calculated_hash = self.calculate_hash();
+
+        if self.hash == calculated_hash {
+            Ok(())
+        } else {
+            // TODO(lucio): convert this into a proper error rather than
+            // an panic.
+            panic!(
+                "metadata hash mismatch, expected={}, got={}",
+                self.hash, calculated_hash
+            );
+        }
+    }
+}
+
 async fn atomic_write<P: AsRef<Path>>(path: P, data: &[u8]) -> Result<()> {
     // Create a temporary file in the same directory as the target file
     let directory = path.as_ref().parent().unwrap();
@@ -195,3 +235,61 @@ async fn atomic_write<P: AsRef<Path>>(path: P, data: &[u8]) -> Result<()> {
 
     Ok(())
 }
+
+// TODO(lucio): for the tests to work we need proper error handling which
+// will be done in follow up.
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    #[ignore]
+    fn test_hash_verification() {
+        let mut metadata = MetadataJson {
+            hash: 0,
+            version: 1,
+            durable_frame_num: 100,
+            generation: 5,
+        };
+
+        assert!(metadata.verify_hash().is_err());
+
+        metadata.set_hash();
+
+        assert!(metadata.verify_hash().is_ok());
+    }
+
+    #[test]
+    #[ignore]
+    fn test_hash_tampering() {
+        let mut metadata = MetadataJson {
+            hash: 0,
+            version: 1,
+            durable_frame_num: 100,
+            generation: 5,
+        };
+
+        // Create metadata with hash
+        metadata.set_hash();
+
+        // Tamper with a field
+        metadata.version = 2;
+
+        // Verify should fail
+        assert!(metadata.verify_hash().is_err());
+
+        metadata.version = 1;
+        metadata.generation = 42;
+
+        assert!(metadata.verify_hash().is_err());
+
+        metadata.generation = 5;
+        metadata.durable_frame_num = 42;
+
+        assert!(metadata.verify_hash().is_err());
+
+        metadata.durable_frame_num = 100;
+
+        assert!(metadata.verify_hash().is_ok());
+    }
+}

Original file line number	Diff line number	Diff line change
`@@ -423,6 +423,8 @@ impl Database {`
`423`	`423`	`frame_no += 1;`
`424`	`424`	`}`
`425`	`425`
	`426`	`+ // TODO(lucio): this can underflow if the server previously returned a higher max_frame_no`
	`427`	`+ // than what we have stored here.`
`426`	`428`	`let frame_count = end_frame_no - start_frame_no + 1;`
`427`	`429`	`Ok(crate::database::Replicated {`
`428`	`430`	`frame_no: None,`